# CanaRy

## Problem

> This time we added a canary to detect buffer overflows. Can you still find a way to retreive the flag from this program located in /problems/canary\_2\_dffbf795b4788666d54a993a5e41d145. Source.

* [Program](https://github.com/HHousen/PicoCTF-2019/tree/24b0981c72638c12f9a8572f81e1abbcf8de306d/Binary%20Exploitation/CanaRy/vuln/README.md)
* [Source](https://github.com/HHousen/PicoCTF-2019/tree/24b0981c72638c12f9a8572f81e1abbcf8de306d/Binary%20Exploitation/CanaRy/vuln.c)

## Solution

1. `BUF_SIZE` is 32 bytes so offset by `'a'*32` since canary will be next in stack
2. Leak the canary by running the [break-canary.py](https://github.com/HHousen/PicoCTF-2019/tree/24b0981c72638c12f9a8572f81e1abbcf8de306d/Binary%20Exploitation/CanaRy/break-canary.py) file on the shell server
3. Paste Canary into [bruteforce-pie.py](https://github.com/HHousen/PicoCTF-2019/tree/24b0981c72638c12f9a8572f81e1abbcf8de306d/Binary%20Exploitation/CanaRy/bruteforce-pie.py) on line 13
4. Offset after canary determined using `cyclic(24)` and `cyclic_find()` with `python2 -c "from pwn import *; print 'a'*32 + 'ex;Y' + cyclic(100)" | ./vuln` locally to get offset as `'a'*16`.
5. Last 1.5 bytes of `display_flag` function determined with `readelf -s vuln`
6. First byte found with gdb by placing a breakpoint at `vuln` and running which got `Breakpoint 1, 0x56622a14 in main ()` and more importantly the first byte `0x56`
7. Loops in hex are used to bruteforce every possible value for the remaining 1.5 bytes and `p32` from `pwntools` is used to convert to little endian
8. Run [bruteforce-pie.py](https://github.com/HHousen/PicoCTF-2019/tree/24b0981c72638c12f9a8572f81e1abbcf8de306d/Binary%20Exploitation/CanaRy/bruteforce-pie.py) on shell server by pasting `bruteforce_pie` function (after running `from pwn import *`) into python terminal and then running `print bruteforce_pie()`
9. Flag will appear in a few minutes
10. If the flag doesn't appear after running the program then run it again and it will work (the program doesn't check addresses with zeros in them)

### Flag

`picoCTF{cAnAr135_mU5t_b3_r4nd0m!_1df5fde9}`